New "Triton" ICS Malware Used in Critical Infrastructure Attack

A new piece of malware designed to target industrial control systems (ICS) has been used in an attack aimed at a critical infrastructure organization, FireEye reported on Thursday. Experts believe the attack was launched by a state-sponsored actor whose goal may have been to cause physical damage.

Few details have been provided about the targeted organization, and FireEye has not linked the attack to any known group, but believes with moderate confidence that it’s a nation state actor. This assumption is based on the apparent lack of financial motivation and the amount of resources necessary to pull off such an attack.

The activity observed by FireEye may have been conducted during the reconnaissance phase of a campaign, and it’s consistent with attacks previously attributed to Russian, Iranian, U.S., North Korean and Israeli nation-state actors.

The malware, which FireEye has dubbed “Triton,” is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which are used to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

According to analysis (PDF) conducted by ICS cyber security firm Dragos, which calls the malware "TRISIS", the victim was an industrial asset owner in the Middle East.

The engineering and maintenance tool used by Triconex SIS products is TriStation. The TriStation protocol is proprietary and there is no public documentation for it, but Triton does leverage this protocol, which suggests that the attackers reverse engineered it when creating their malware.

Triton, which FireEye has described as an attack framework, is designed to interact with Triconex SIS controllers. The malware can write and read programs and functions to and from the controller, and query its state, but not all capabilities had been leveraged in this specific attack.

The hackers deployed Triton on a Windows-based engineering workstation. The malware had left legitimate programs running on the controllers in place, but added its own programs to the execution table. The threat attempts to return the controller to a running state in case of a failure, or overwrite the malicious program with junk data if the attempt fails, likely in an effort to cover its tracks.

In general, once the SIS controller has been compromised, the attacker can reprogram the device to trigger a safe state, which could cause downtime and result in financial losses. Attackers could also reprogram the SIS so that it allows dangerous parameters without triggering the safe state, which can have a physical impact, including on human safety, products and equipment, FireEye said.

However, the physical damage that can be done via the SIS controller is limited by the mechanical safety systems deployed by an organization.

In the case of the critical infrastructure attack investigated by FireEye, the attackers shut down operations after causing the SIS controllers to initiate a safe shutdown, but they may have done it inadvertently while trying to determine how they could cause physical damage.

On the other hand, FireEye noted that “intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency.”

Schneider Electric has launched an investigation into this incident, but initial evidence suggests that Triton does not leverage any vulnerabilities in the Triconex product and the company is not aware of any other attacks.

“It is important to note that in this instance, the Triconex system responded appropriately, safely shutting down plant operations. No harm was incurred by the customer or the environment,” the industrial giant said.

Schneider said the targeted safety controllers are widely used in critical infrastructure, and it’s working on determining if there are any additional attack vectors. In the meantime, customers have been advised not to leave the front panel key position in “Program” mode when the controller is not being configured. The malware can only deliver its payload if the key switch is set to this mode. Signatures of the malware samples identified by FireEye have been provided to cybersecurity firms so security products should be able to detect at least some variants of the threat.

There are only a handful of malware families specifically designed to target industrial systems, including the notorious Stuxnet, and Industroyer, the malware used in the December 2016 attack aimed at an electrical substation in Ukraine. Last year, FireEye identified an ICS malware dubbed IRONGATE, but it had not been observed in any actual attacks, leading experts to believe that it may have been developed for research purposes.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.